Add service_manager::Sandbox::IsProcessSandboxed()

This is a very basic check that can be used to verify that the current
process is running under any kind of sandbox.

Change-Id: Iaee3f2a97c4dae72714297dcdf23b37ff7c6fdf4
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2147677
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Reviewed-by: Alex Gough <ajgo@chromium.org>
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Reviewed-by: Wez <wez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#759667}

content/browser/mojo_sandbox_browsertest.cc

@@ -7,6 +7,7 @@
 #include <utility>
 
 #include "base/bind.h"
+#include "base/command_line.h"
 #include "base/containers/span.h"
 #include "base/macros.h"
 #include "base/memory/read_only_shared_memory_region.h"
@@ -17,6 +18,7 @@
 #include "base/strings/string_piece.h"
 #include "base/task/post_task.h"
 #include "base/test/bind_test_util.h"
+#include "build/build_config.h"
 #include "content/browser/utility_process_host.h"
 #include "content/public/browser/browser_task_traits.h"
 #include "content/public/browser/browser_thread.h"
@@ -24,6 +26,8 @@
 #include "content/public/test/test_service.mojom.h"
 #include "mojo/public/cpp/bindings/remote.h"
 #include "services/service_manager/public/cpp/interface_provider.h"
+#include "services/service_manager/sandbox/sandbox.h"
+#include "services/service_manager/sandbox/switches.h"
 
 namespace content {
 namespace {
@@ -34,16 +38,27 @@ class MojoSandboxTest : public ContentBrowserTest {
  public:
   MojoSandboxTest() = default;
 
-  void SetUpOnMainThread() override {
+  using BeforeStartCallback = base::OnceCallback<void(UtilityProcessHost*)>;
+
+  void StartProcess(BeforeStartCallback callback = BeforeStartCallback()) {
     base::RunLoop run_loop;
     base::PostTaskAndReply(
         FROM_HERE, {BrowserThread::IO},
         base::BindOnce(&MojoSandboxTest::StartUtilityProcessOnIoThread,
-                       base::Unretained(this)),
+                       base::Unretained(this), std::move(callback)),
         run_loop.QuitClosure());
     run_loop.Run();
   }
 
+  mojo::Remote<mojom::TestService> BindTestService() {
+    mojo::Remote<mojom::TestService> test_service;
+    base::PostTask(FROM_HERE, {BrowserThread::IO},
+                   base::BindOnce(&MojoSandboxTest::BindTestServiceOnIoThread,
+                                  base::Unretained(this),
+                                  test_service.BindNewPipeAndPassReceiver()));
+    return test_service;
+  }
+
   void TearDownOnMainThread() override {
     base::RunLoop run_loop;
     base::PostTaskAndReply(
@@ -58,12 +73,19 @@ class MojoSandboxTest : public ContentBrowserTest {
   std::unique_ptr<UtilityProcessHost> host_;
 
  private:
-  void StartUtilityProcessOnIoThread() {
+  void StartUtilityProcessOnIoThread(BeforeStartCallback callback) {
     host_.reset(new UtilityProcessHost());
     host_->SetMetricsName("mojo_sandbox_test_process");
+    if (callback)
+      std::move(callback).Run(host_.get());
     ASSERT_TRUE(host_->Start());
   }
 
+  void BindTestServiceOnIoThread(
+      mojo::PendingReceiver<mojom::TestService> receiver) {
+    host_->GetChildProcess()->BindReceiver(std::move(receiver));
+  }
+
   void StopUtilityProcessOnIoThread() { host_.reset(); }
 
   DISALLOW_COPY_AND_ASSIGN(MojoSandboxTest);
@@ -72,15 +94,8 @@ class MojoSandboxTest : public ContentBrowserTest {
 // Ensures that a read-only shared memory region can be created within a
 // sandboxed process.
 IN_PROC_BROWSER_TEST_F(MojoSandboxTest, SubprocessReadOnlySharedMemoryRegion) {
-  mojo::Remote<mojom::TestService> test_service;
-  base::PostTask(
-      FROM_HERE, {BrowserThread::IO},
-      base::BindOnce(
-          [](UtilityProcessHost* host,
-             mojo::PendingReceiver<mojom::TestService> receiver) {
-            host->GetChildProcess()->BindReceiver(std::move(receiver));
-          },
-          host_.get(), test_service.BindNewPipeAndPassReceiver()));
+  StartProcess();
+  mojo::Remote<mojom::TestService> test_service = BindTestService();
 
   bool got_response = false;
   base::RunLoop run_loop;
@@ -103,15 +118,8 @@ IN_PROC_BROWSER_TEST_F(MojoSandboxTest, SubprocessReadOnlySharedMemoryRegion) {
 // Ensures that a writable shared memory region can be created within a
 // sandboxed process.
 IN_PROC_BROWSER_TEST_F(MojoSandboxTest, SubprocessWritableSharedMemoryRegion) {
-  mojo::Remote<mojom::TestService> test_service;
-  base::PostTask(
-      FROM_HERE, {BrowserThread::IO},
-      base::BindOnce(
-          [](UtilityProcessHost* host,
-             mojo::PendingReceiver<mojom::TestService> receiver) {
-            host->GetChildProcess()->BindReceiver(std::move(receiver));
-          },
-          host_.get(), test_service.BindNewPipeAndPassReceiver()));
+  StartProcess();
+  mojo::Remote<mojom::TestService> test_service = BindTestService();
 
   bool got_response = false;
   base::RunLoop run_loop;
@@ -134,15 +142,8 @@ IN_PROC_BROWSER_TEST_F(MojoSandboxTest, SubprocessWritableSharedMemoryRegion) {
 // Ensures that an unsafe shared memory region can be created within a
 // sandboxed process.
 IN_PROC_BROWSER_TEST_F(MojoSandboxTest, SubprocessUnsafeSharedMemoryRegion) {
-  mojo::Remote<mojom::TestService> test_service;
-  base::PostTask(
-      FROM_HERE, {BrowserThread::IO},
-      base::BindOnce(
-          [](UtilityProcessHost* host,
-             mojo::PendingReceiver<mojom::TestService> receiver) {
-            host->GetChildProcess()->BindReceiver(std::move(receiver));
-          },
-          host_.get(), test_service.BindNewPipeAndPassReceiver()));
+  StartProcess();
+  mojo::Remote<mojom::TestService> test_service = BindTestService();
 
   bool got_response = false;
   base::RunLoop run_loop;
@@ -162,5 +163,59 @@ IN_PROC_BROWSER_TEST_F(MojoSandboxTest, SubprocessUnsafeSharedMemoryRegion) {
   EXPECT_TRUE(got_response);
 }
 
+// Test for service_manager::IsProcessSandboxed().
+IN_PROC_BROWSER_TEST_F(MojoSandboxTest, IsProcessSandboxed) {
+  StartProcess();
+  mojo::Remote<mojom::TestService> test_service = BindTestService();
+
+  // The browser should not be considered sandboxed.
+  EXPECT_FALSE(service_manager::Sandbox::IsProcessSandboxed());
+
+  base::Optional<bool> maybe_is_sandboxed;
+  base::RunLoop run_loop;
+  test_service.set_disconnect_handler(run_loop.QuitClosure());
+  test_service->IsProcessSandboxed(
+      base::BindLambdaForTesting([&](bool is_sandboxed) {
+        maybe_is_sandboxed = is_sandboxed;
+        run_loop.Quit();
+      }));
+  run_loop.Run();
+  ASSERT_TRUE(maybe_is_sandboxed.has_value());
+  EXPECT_TRUE(maybe_is_sandboxed.value());
+}
+
+IN_PROC_BROWSER_TEST_F(MojoSandboxTest, NotIsProcessSandboxed) {
+  StartProcess(base::BindOnce([](UtilityProcessHost* host) {
+    host->SetSandboxType(service_manager::SandboxType::kNoSandbox);
+  }));
+  mojo::Remote<mojom::TestService> test_service = BindTestService();
+
+  // The browser should not be considered sandboxed.
+  EXPECT_FALSE(service_manager::Sandbox::IsProcessSandboxed());
+
+  base::Optional<bool> maybe_is_sandboxed;
+  base::RunLoop run_loop;
+  test_service.set_disconnect_handler(run_loop.QuitClosure());
+  test_service->IsProcessSandboxed(
+      base::BindLambdaForTesting([&](bool is_sandboxed) {
+        maybe_is_sandboxed = is_sandboxed;
+        run_loop.Quit();
+      }));
+  run_loop.Run();
+  ASSERT_TRUE(maybe_is_sandboxed.has_value());
+#if defined(OS_ANDROID)
+  // Android does not support unsandboxed utility processes. See
+  // org.chromium.content.browser.ChildProcessLauncherHelperImpl#createAndStart
+  EXPECT_TRUE(maybe_is_sandboxed.value());
+#else
+  // If the content_browsertests is launched with --no-sandbox, that will
+  // get passed down to the browser and all child processes. In that case,
+  // IsProcessSandboxed() will report true, per the API.
+  bool no_sandbox = base::CommandLine::ForCurrentProcess()->HasSwitch(
+      service_manager::switches::kNoSandbox);
+  EXPECT_EQ(no_sandbox, maybe_is_sandboxed.value());
+#endif
+}
+
 }  //  namespace
 }  //  namespace content

content/public/test/test_service.cc

@@ -9,6 +9,7 @@
 #include "base/bind.h"
 #include "base/logging.h"
 #include "base/run_loop.h"
+#include "services/service_manager/sandbox/sandbox.h"
 
 namespace content {
 
@@ -74,4 +75,8 @@ void TestService::CreateUnsafeSharedMemoryRegion(
   NOTREACHED();
 }
 
+void TestService::IsProcessSandboxed(IsProcessSandboxedCallback callback) {
+  std::move(callback).Run(service_manager::Sandbox::IsProcessSandboxed());
+}
+
 }  // namespace content

content/public/test/test_service.h

@@ -50,6 +50,7 @@ class TestService : public service_manager::Service, public mojom::TestService {
   void CreateUnsafeSharedMemoryRegion(
       const std::string& message,
       CreateUnsafeSharedMemoryRegionCallback callback) override;
+  void IsProcessSandboxed(IsProcessSandboxedCallback callback) override;
 
   service_manager::ServiceBinding service_binding_;
   service_manager::BinderRegistry registry_;

content/public/test/test_service.mojom

@@ -41,4 +41,7 @@ interface TestService {
   // exactly.
   CreateUnsafeSharedMemoryRegion(string message)
       => (mojo_base.mojom.UnsafeSharedMemoryRegion? region);
+
+  // Returns the result of service_manager::Sandbox::IsProcessSandboxed().
+  IsProcessSandboxed() => (bool is_sandboxed);
 };

content/shell/renderer/shell_content_renderer_client.cc

@@ -23,6 +23,7 @@
 #include "mojo/public/cpp/system/message_pipe.h"
 #include "net/base/net_errors.h"
 #include "ppapi/buildflags/buildflags.h"
+#include "services/service_manager/sandbox/sandbox.h"
 #include "third_party/blink/public/platform/web_url_error.h"
 #include "third_party/blink/public/web/web_testing_support.h"
 #include "third_party/blink/public/web/web_view.h"
@@ -103,6 +104,10 @@ class TestRendererServiceImpl : public mojom::TestService {
     NOTREACHED();
   }
 
+  void IsProcessSandboxed(IsProcessSandboxedCallback callback) override {
+    std::move(callback).Run(service_manager::Sandbox::IsProcessSandboxed());
+  }
+
   mojo::Receiver<mojom::TestService> receiver_;
 
   DISALLOW_COPY_AND_ASSIGN(TestRendererServiceImpl);

content/shell/utility/shell_content_utility_client.cc

@@ -31,6 +31,7 @@
 #include "mojo/public/cpp/bindings/self_owned_receiver.h"
 #include "mojo/public/cpp/bindings/service_factory.h"
 #include "mojo/public/cpp/system/buffer.h"
+#include "services/service_manager/sandbox/sandbox.h"
 #include "services/test/echo/echo_service.h"
 
 #if defined(OS_LINUX)
@@ -106,6 +107,10 @@ class TestUtilityServiceImpl : public mojom::TestService {
     std::move(callback).Run(std::move(region));
   }
 
+  void IsProcessSandboxed(IsProcessSandboxedCallback callback) override {
+    std::move(callback).Run(service_manager::Sandbox::IsProcessSandboxed());
+  }
+
  private:
   TestUtilityServiceImpl() = default;
 

services/service_manager/sandbox/sandbox.cc

@@ -4,17 +4,25 @@
 
 #include "services/service_manager/sandbox/sandbox.h"
 
+#include "base/command_line.h"
 #include "build/build_config.h"
+#include "services/service_manager/sandbox/switches.h"
+
+#if defined(OS_ANDROID)
+#include "base/android/jni_android.h"
+#endif  // defined(OS_ANDROID)
 
 #if defined(OS_LINUX)
 #include "services/service_manager/sandbox/linux/sandbox_linux.h"
 #endif  // defined(OS_LINUX)
 
 #if defined(OS_MACOSX)
+#include "sandbox/mac/seatbelt.h"
 #include "services/service_manager/sandbox/mac/sandbox_mac.h"
 #endif  // defined(OS_MACOSX)
 
 #if defined(OS_WIN)
+#include "base/process/process_info.h"
 #include "sandbox/win/src/sandbox.h"
 #include "services/service_manager/sandbox/win/sandbox_win.h"
 #endif  // defined(OS_WIN)
@@ -70,4 +78,49 @@ bool Sandbox::Initialize(SandboxType sandbox_type,
 }
 #endif  // defined(OS_WIN)
 
+// static
+bool Sandbox::IsProcessSandboxed() {
+  auto* command_line = base::CommandLine::ForCurrentProcess();
+  bool is_browser = !command_line->HasSwitch(switches::kProcessType);
+
+  if (!is_browser &&
+      base::CommandLine::ForCurrentProcess()->HasSwitch(switches::kNoSandbox)) {
+    // When running with --no-sandbox, unconditionally report the process as
+    // sandboxed. This lets code write |DCHECK(IsProcessSandboxed())| and not
+    // break when testing with the --no-sandbox switch.
+    return true;
+  }
+
+#if defined(OS_ANDROID)
+  // Note that this does not check the status of the Seccomp sandbox. Call
+  // https://developer.android.com/reference/android/os/Process#isIsolated().
+  JNIEnv* env = base::android::AttachCurrentThread();
+  base::android::ScopedJavaLocalRef<jclass> process_class =
+      base::android::GetClass(env, "android/os/Process");
+  jmethodID is_isolated =
+      base::android::MethodID::Get<base::android::MethodID::TYPE_STATIC>(
+          env, process_class.obj(), "isIsolated", "()Z");
+  return env->CallStaticBooleanMethod(process_class.obj(), is_isolated);
+#elif defined(OS_FUCHSIA)
+  // TODO(https://crbug.com/1071420): Figure out what to do here. Process
+  // launching controls the sandbox and there are no ambient capabilities, so
+  // basically everything but the browser is considered sandboxed.
+  return !is_browser;
+#elif defined(OS_LINUX)
+  int status = SandboxLinux::GetInstance()->GetStatus();
+  constexpr int kLayer1Flags = SandboxLinux::Status::kSUID |
+                               SandboxLinux::Status::kPIDNS |
+                               SandboxLinux::Status::kUserNS;
+  constexpr int kLayer2Flags =
+      SandboxLinux::Status::kSeccompBPF | SandboxLinux::Status::kSeccompTSYNC;
+  return (status & kLayer1Flags) != 0 && (status & kLayer2Flags) != 0;
+#elif defined(OS_MACOSX)
+  return sandbox::Seatbelt::IsSandboxed();
+#elif defined(OS_WIN)
+  return base::GetCurrentProcessIntegrityLevel() < base::MEDIUM_INTEGRITY;
+#else
+  return false;
+#endif
+}
+
 }  // namespace service_manager

services/service_manager/sandbox/sandbox.h

@@ -52,6 +52,20 @@ class SERVICE_MANAGER_SANDBOX_EXPORT Sandbox {
   static bool Initialize(service_manager::SandboxType sandbox_type,
                          sandbox::SandboxInterfaceInfo* sandbox_info);
 #endif  // defined(OS_WIN)
+
+  // Returns true if the current process is running with a sandbox, and false
+  // if the process is not sandboxed. This should be used to assert that code is
+  // not running at high-privilege (e.g. in the browser process):
+  //
+  //    DCHECK(service_manager::Sandbox::IsProcessSandboxed());
+  //
+  // The definition of what constitutes a sandbox, and the relative strength of
+  // the restrictions placed on the process, and a per-platform implementation
+  // detail.
+  //
+  // Except if the process is the browser, if the process is running with the
+  // --no-sandbox flag, this unconditionally returns true.
+  static bool IsProcessSandboxed();
 };
 
 }  // namespace service_manager